public void StartGoodSigningRequests()
{
AssertIgnoreTestWithoutGoodRegistration();
AssertIgnoreTestWithoutGoodNewKeyPairRequest();
ConnectGDS(true);
foreach (var application in _goodApplicationTestSet)
{
Assert.Null(application.CertificateRequestId);
X509Certificate2 csrCertificate;
if (application.PrivateKeyFormat == "PFX")
{
csrCertificate = X509Utils.CreateCertificateFromPKCS12(application.PrivateKey, application.PrivateKeyPassword);
}
else
{
csrCertificate = CertificateFactory.CreateCertificateWithPEMPrivateKey(new X509Certificate2(application.Certificate), application.PrivateKey, application.PrivateKeyPassword);
}
byte[] certificateRequest = CertificateFactory.CreateSigningRequest(csrCertificate, application.DomainNames);
csrCertificate.Dispose();
NodeId requestId = _gdsClient.GDSClient.StartSigningRequest(
application.ApplicationRecord.ApplicationId,
application.CertificateGroupId,
application.CertificateTypeId,
certificateRequest);
Assert.NotNull(requestId);
application.CertificateRequestId = requestId;
}
}
public static void VerifyApplicationCertIntegrity(byte[] certificate, byte[] privateKey, string privateKeyPassword, string privateKeyFormat, byte[][] issuerCertificates)
{
X509Certificate2 newCert = new X509Certificate2(certificate);
Assert.IsNotNull(newCert);
X509Certificate2 newPrivateKeyCert = null;
if (privateKeyFormat == "PFX")
{
newPrivateKeyCert = X509Utils.CreateCertificateFromPKCS12(privateKey, privateKeyPassword);
}
else if (privateKeyFormat == "PEM")
{
newPrivateKeyCert = CertificateFactory.CreateCertificateWithPEMPrivateKey(newCert, privateKey, privateKeyPassword);
}
else
{
Assert.Fail("Invalid private key format");
}
Assert.IsNotNull(newPrivateKeyCert);
// verify the public cert matches the private key
Assert.IsTrue(X509Utils.VerifyRSAKeyPair(newCert, newPrivateKeyCert, true));
Assert.IsTrue(X509Utils.VerifyRSAKeyPair(newPrivateKeyCert, newPrivateKeyCert, true));
CertificateIdentifierCollection issuerCertIdCollection = new CertificateIdentifierCollection();
foreach (var issuer in issuerCertificates)
{
var issuerCert = new X509Certificate2(issuer);
Assert.IsNotNull(issuerCert);
issuerCertIdCollection.Add(new CertificateIdentifier(issuerCert));
}
// verify cert with issuer chain
CertificateValidator certValidator = new CertificateValidator();
CertificateTrustList issuerStore = new CertificateTrustList();
CertificateTrustList trustedStore = new CertificateTrustList();
trustedStore.TrustedCertificates = issuerCertIdCollection;
certValidator.Update(trustedStore, issuerStore, null);
Assert.That(() => {
certValidator.Validate(newCert);
}, Throws.Exception);
issuerStore.TrustedCertificates = issuerCertIdCollection;
certValidator.Update(issuerStore, trustedStore, null);
certValidator.Validate(newCert);
}
private ServiceResult UpdateCertificate(
ISystemContext context,
MethodState method,
NodeId objectId,
NodeId certificateGroupId,
NodeId certificateTypeId,
byte[] certificate,
byte[][] issuerCertificates,
string privateKeyFormat,
byte[] privateKey,
ref bool applyChangesRequired)
{
HasApplicationSecureAdminAccess(context);
if (certificate == null)
{
throw new ArgumentNullException(nameof(certificate));
}
privateKeyFormat = privateKeyFormat?.ToUpper();
if (!(String.IsNullOrEmpty(privateKeyFormat) || privateKeyFormat == "PEM" || privateKeyFormat == "PFX"))
{
throw new ServiceResultException(StatusCodes.BadNotSupported, "The private key format is not supported.");
}
ServerCertificateGroup certificateGroup = VerifyGroupAndTypeId(certificateGroupId, certificateTypeId);
certificateGroup.UpdateCertificate = null;
X509Certificate2Collection newIssuerCollection = new X509Certificate2Collection();
X509Certificate2 newCert;
try
{
// build issuer chain
if (issuerCertificates != null)
{
foreach (byte[] issuerRawCert in issuerCertificates)
{
var newIssuerCert = new X509Certificate2(issuerRawCert);
newIssuerCollection.Add(newIssuerCert);
}
}
newCert = new X509Certificate2(certificate);
}
catch
{
throw new ServiceResultException(StatusCodes.BadCertificateInvalid, "Certificate data is invalid.");
}
// validate new subject matches the previous subject
if (!X509Utils.CompareDistinguishedName(certificateGroup.ApplicationCertificate.SubjectName, newCert.SubjectName.Name))
{
throw new ServiceResultException(StatusCodes.BadSecurityChecksFailed, "Subject Name of new certificate doesn't match the application.");
}
// self signed
bool selfSigned = X509Utils.CompareDistinguishedName(newCert.Subject, newCert.Issuer);
if (selfSigned && newIssuerCollection.Count != 0)
{
throw new ServiceResultException(StatusCodes.BadCertificateInvalid, "Issuer list not empty for self signed certificate.");
}
if (!selfSigned)
{
try
{
// verify cert with issuer chain
CertificateValidator certValidator = new CertificateValidator();
CertificateTrustList issuerStore = new CertificateTrustList();
CertificateIdentifierCollection issuerCollection = new CertificateIdentifierCollection();
foreach (var issuerCert in newIssuerCollection)
{
issuerCollection.Add(new CertificateIdentifier(issuerCert));
}
issuerStore.TrustedCertificates = issuerCollection;
certValidator.Update(issuerStore, issuerStore, null);
certValidator.Validate(newCert);
}
catch
{
throw new ServiceResultException(StatusCodes.BadSecurityChecksFailed, "Failed to verify integrity of the new certificate and the issuer list.");
}
}
var updateCertificate = new UpdateCertificateData();
try
{
var passwordProvider = m_configuration.SecurityConfiguration.CertificatePasswordProvider;
switch (privateKeyFormat)
{
case null:
case "":
{
X509Certificate2 certWithPrivateKey = certificateGroup.ApplicationCertificate.LoadPrivateKeyEx(passwordProvider).Result;
updateCertificate.CertificateWithPrivateKey = CertificateFactory.CreateCertificateWithPrivateKey(newCert, certWithPrivateKey);
break;
}
case "PFX":
{
X509Certificate2 certWithPrivateKey = X509Utils.CreateCertificateFromPKCS12(privateKey, passwordProvider?.GetPassword(certificateGroup.ApplicationCertificate));
updateCertificate.CertificateWithPrivateKey = CertificateFactory.CreateCertificateWithPrivateKey(newCert, certWithPrivateKey);
break;
}
case "PEM":
{
updateCertificate.CertificateWithPrivateKey = CertificateFactory.CreateCertificateWithPEMPrivateKey(newCert, privateKey, passwordProvider?.GetPassword(certificateGroup.ApplicationCertificate));
break;
}
}
updateCertificate.IssuerCollection = newIssuerCollection;
updateCertificate.SessionId = context.SessionId;
}
catch
{
throw new ServiceResultException(StatusCodes.BadSecurityChecksFailed, "Failed to verify integrity of the new certificate and the private key.");
}
certificateGroup.UpdateCertificate = updateCertificate;
applyChangesRequired = true;
if (updateCertificate != null)
{
try
{
using (ICertificateStore appStore = certificateGroup.ApplicationCertificate.OpenStore())
{
Utils.LogCertificate(Utils.TraceMasks.Security, "Delete application certificate: ", certificateGroup.ApplicationCertificate.Certificate);
appStore.Delete(certificateGroup.ApplicationCertificate.Thumbprint).Wait();
Utils.LogCertificate(Utils.TraceMasks.Security, "Add new application certificate: ", updateCertificate.CertificateWithPrivateKey);
var passwordProvider = m_configuration.SecurityConfiguration.CertificatePasswordProvider;
appStore.Add(updateCertificate.CertificateWithPrivateKey, passwordProvider?.GetPassword(certificateGroup.ApplicationCertificate)).Wait();
// keep only track of cert without private key
var certOnly = new X509Certificate2(updateCertificate.CertificateWithPrivateKey.RawData);
updateCertificate.CertificateWithPrivateKey.Dispose();
updateCertificate.CertificateWithPrivateKey = certOnly;
}
using (ICertificateStore issuerStore = CertificateStoreIdentifier.OpenStore(certificateGroup.IssuerStorePath))
{
foreach (var issuer in updateCertificate.IssuerCollection)
{
try
{
Utils.LogCertificate(Utils.TraceMasks.Security, "Add new issuer certificate: ", issuer);
issuerStore.Add(issuer).Wait();
}
catch (ArgumentException)
{
// ignore error if issuer cert already exists
}
}
}
}
catch (Exception ex)
{
Utils.LogError(Utils.TraceMasks.Security, ServiceResult.BuildExceptionTrace(ex));
throw new ServiceResultException(StatusCodes.BadSecurityChecksFailed, "Failed to update certificate.", ex);
}
}
return(ServiceResult.Good);
}